Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 2438 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scam claiming my account has been hacked and asks for Bitcoins

minis

hy , 

how can I block this kind of mail  in sophos 

""  *********has been hacked, change your password ASAP

 H​el​lo​,

A​s ​yo​u ​ma​y ​ha​ve​ n​ot​ic​ed​, ​I ​se​nt​ t​hi​s ​em​ai​l ​fr​om​ y​ou​r ​em​ai​l ​ac​co​un​t ​(i​f ​yo​u ​di​dn​'t​ s​ee​, ​ch​ec​k ​th​e ​fr​om​ e​ma​il​ i​d)​. ​In​ o​th​er​ w​or​ds​, ​I ​ha​ve​ f​ul​lc​ce​ss​ t​o ​yo​ur​ e​ma​il​ a​cc​ou​nt​.

I​ i​nf​ec​te​d ​yo​u ​wi​th​ a​ m​al​wa​re​ a​ f​ew​ m​on​th​s ​ba​ck​ w​he​n ​yo​u ​vi​si​te​d ​an​ a​du​lt​ s​it​e,​ a​nd​ s​in​ce​ t​he​n,​ I​ h​av​e ​be​en​ o​bs​er​vi​ng​ y​ou​r ​ac​ti​on​s.​

T​he​ m​al​wa​re​ g​av​e ​me​ f​ul​l ​ac​ce​ss​ a​nd​ c​on​tr​ol​ o​ve​r ​yo​ur​ s​ys​te​m,​ m​ea​ni​ng​, ​I ​ca​n ​se​e ​ev​er​yt​hi​ng​ o​n ​yo​ur​ s​cr​ee​n,​ t​ur​n ​on​ y​ou​r ​ca​me​ra​ o​r ​mi​cr​op​ho​n ​an​d ​yo​u ​wo​n'​t ​ev​en​ n​ot​ic​e ​ab​ou​t ​it​.

​I ​al​so​ h​av​e ​ac​ce​ss​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s. ""

 

best regards 



This thread was automatically locked due to age.
  • 0

    I moved this post here and retitled it as it was a new question and one of our rules is "one question per thread."

    I don't know of a way to block these scams as there are rarely keywords in the Subject that you would want to filter on.

    Not only have I received many in English, I also speak French and German so I've received some in those languages also.  They all make the same claim.  In my case, it was a password phished three years ago and changed within 20 minutes.  The email headers show that my account was forged/spoofed and that the email did not come from the server that handles my email account.  Here's an example from one of the 30+ such scams I've received over the last nine months.

      Received: from [223.230.70.31] (port=49104 helo=abts-ap-dynamic-31.70.230.223.airtelbroadband.in)
     by mail.domain.com with esmtp (Exim 4.82_1-5b7a7c0-XX)
     (envelope-from <account@domain.com>)
     id 1g8Xg2-0002U0-15
     for account@domain.com; Fri, 05 Oct 2018 16:30:26 -0500

    In this case, the .in means the email was sent from an infected computer in India.  If your headers don't include something telltale like that, I would go to https://www.ip2location.com/demo to see that 223.230.70.31 is in Hyderabad, India.

    My guess is that anyone reading this should change their password, but that it's extremely unlikely that they were hacked in the fashion suggested by the email.

    You can get a free account at https://bitcoinwhoswho.com/ and then report the Bitcoin address where the scammer told you to send money.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1

    I am using an expression search to block messages using the phrase Bitcoin.

  • 0 in reply to DouglasFoster

    This works!  Thanks, Doug!  I can't believe that I missed the fact that the Expression Filter no longer just applies to the Subject.

    Unfortunately, when they did that, they didn't include the From: field in the header: In Anti-Spam, Expression-check everything after DATA or include From.  Well, well, well - according to that suggestion I made almost four years ago, I apparently knew then that the content was covered by the Expression Filter.

    Again, Doug, I can't tell you how glad I am that you're participating here!

    Cheers - Bob

    PS You will want to use [B|b]itcoin to ensure that you get both bitcoin and Bitcoin.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I use a webhost for my email needs and light webhosting.

    The rule below helps filter out most of this garbage that appears to be coming from myself.

    Basically it checks the headers to see if contains the name of my domain (domain.com), AND does NOT contain "107."  This is the first octet of my public ip.  If this evaluation is true then the email did not originate from my network and gets delivered into the spam folder.

    There are some caveats to this.  Cell phone service is att based so it too will start with the 107.  Say if I sent an email to myself from a verizon or comcast ip, it would get flagged as spam.

Unfiltered HTML